I have a CSV file that has a header/title section with some interesting information in it (the run, application version, username, etc).
It then has 2 sections of CSV data with the same field names, but one is an exception section and one is the actual data. It looks like this:
Run ID,100
Run Date/Time,6/13/2019 7:07:51 PM
Application Name,
Application Version,1.0.0.0
Protocol Name,
User Name,John Doe
[EXCEPTIONS]
field1,field2,field3,field4
value1,value2,value3,value4
[DETAILS]
field1,field2,field3,field4
value1,value2,,value4
I am trying to avoid writing code to pre parse the data to something a little more Splunk friendly. Any ideas on how to leverage props/transforms to get the Run ID, Timestamp, Username in each line under the 2 csv sections?
We are ok with merging the exceptions and details sections into 1 as we do not necessarily need to distinguish between the 2 sections. But we do need to leverage one of the field rows as the CSV header values.
Help appreciated! :)
↧